Hacker News new | past | comments | ask | show | jobs | submit login

What if someone gives you a binary that they claim is built from a particular source code? If you don't decompile it, how do you know if that's true or not? Or what if you can't trust your compiler (a la https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html)?



Reproducible builds. Sure not every project can be built in a reproducible manner, but it at least reduces the chances of getting shady binaries


Check out `guix challenge` for a concrete example of how tidily this can be done with a system that supports reproducible builds well!

https://guix.gnu.org/manual/en/html_node/Invoking-guix-chall...


I could never trust a bin I didn't build myself (with my own C compiler ofc).


Did you build that C compiler yourself? Using what compiler? Unless you bootstrapped it from a handwritten assembler, you'll need to consider the attack outlined in Reflections on Trusting Trust


I did but I foolishly relied on GCC before it was self-hosted now I guess I should scrap the whole thing and build by hand.


There's actually someone out there who has done some impressive work on this, believe it or not!

https://savannah.nongnu.org/projects/stage0/




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: